Category Archives: Security

Post navigation

An upcoming trend for business to look out for is the “Beacon”. This is small device which businesses can place within their business to either gather information on its customers or push information to the customers by interacting with their smart phones (typically by a low-energy Bluetooth connection).

While this is not new technology, recent advances in the cost and power-efficiency of such beacons and the greater prevalence of smartphone users in general and smartphone users who use their devices while shopping, dining, or otherwise engaged in commerce in specific has made beacon deployment a far more attractive proposition for data-savvy businesses. Beacons allow businesses to not only engage in very accurate location tracking of customers, but to push messages directly to customers based upon their location (ex. As customer walks by a rack of clothing, a message can be pushed to them, letting them know that everything on that rack is 20% off for today only.). Likewise, businesses can track the flow of customer traffic, where they do and do not go, what order they visit places within an establishment, and even, potentially what items they stop an look at. This can, clearly, be powerful data for businesses to use, not only for interacting with customers, but in choosing layout of a business and other “customer experience” considerations.

On the downside, there are potential privacy and security implications of this technology, not only for the customers / consumers, but also for the businesses collecting this data. The more intrusive (and non-anonymous) the data a business collects on its customers, the greater the need for policies, procedures, and infrastructure for dealing with this data safely, securely, and withing the parameters of what the law requires. That having been said, this is very exiting technology that can open many new doors for businesses in terms of business intelligence and customer interaction.

For those using the Google Chrome web browser, it is important to know that a critical privacy bug has been found in the browser software which has not yet been fixed by Google.

Specifically, Chrome routinely stores sensitive information, such as names, e-mails, contact information, and/or even credit card information which are typed by users into web forms at trusted websites. It appears that Chrome stores this information within the program in plain text which can be easily accessed by anyone with access to the user’s computer.

As such, until Google addresses this vulnerability, users should be extremely cautious in entering private data into websites using the Chrome browser if there is any chance that the user’s computers can be accessed by others. Furthermore, because the information is cached in the program without any encryption or any other security measures, any trojan horse or similar malware on a user’s computer could potentially access this information and forward it on to identity thieves.

While this clearly has serious potential repercussions for individuals using Chrome, the situation is even more serious for businesses, who could, as a result, be out of compliance with PCI-DSSsecurity rules which are usually mandated by credit card processing companies, if the business wants to be able to accept payments by credit card.

As such, individuals and businesses alike need to take this vulnerability very seriously.

The New Yorker has an excellent piece online which discusses in detail the events leading up to the shutdown of Lavabit, a secure e-mail provider which was used by Edward Snowden.

The article details the pressure placed upon Lavabit and its owner not just to turn over information that would shed light on Edward Snowden’s activities, but rather, information which would give the government wholesale access to all email passing through the services.

This article raises serious issues for IT companies who have committed to safeguard the privacy and/or security of its customers. It also raises serious concerns regarding the extent to which the U.S. Government is willing to (and in fact does) compromise the privacy of innocent U.S. citizens as a routine matter.

If you have purchased products directly from Adobe, you need to be aware of this and (i) be on the lookout for notification for Adobe about whether this affects you, and (ii) monitor your identity (particularly with respect to any card used to purchase the Adobe product), to ensure you are not a victim of identity theft.

Marketplace has aired an interesting piece on the growing trend of using “white hat” hackers as a part of corporate IT strategy as a means of testing and improving IT security.

It is well worth a listen, and is an excellent starting point for consideration of your businesses security and privacy measures. If some form of auditing of your security and privacy measures (not just hardware and software, but policies, procedures, and practices, as well) then your company may needlessly be laying itself open to significant liability, expenses, and damage to business reputation.

This is an interesting piece on the IT company Lavabit, which, before its shutdown, provided secure e-mail services to its customers. The story details the steps taken by the FBI to force Lavabit to turn over encryption keys and take other steps which would not only provide the FBI with access to Edward Snowden’s e-mail account on the service, but would render vulnerable the accounts of any individual or company making use of the service, without warrant and without court oversight.

In pressuring Lavabit to capitulate to its requests for “technical assistance” including divulging the private encryption keys used by the service, the owner of the company was pursued for contempt of court, fined $10,000.00, and then threatened with arrest when he publicly announced his intention to shutter the company.

The tale of Lavabit is something of a cautionary tail for companies that provide IT services. But even more, it should be a wake-up call to both users and providers of IT services regarding the boundaries of privacy and the lengths to which the government is willing to steamroll even legitimate businesses which seek to guard their customer’s privacy.

With the recent release of the iPhone 5s, a new privacy concern comes hand-in-hand with the new device. One of the features being debuted with the iPhone 5s is Apple’s Touch ID, which allows the iPhone user to, among other things, unlock their phone with their finger print, using an embedded fingerprint reader in the phone.

Although fingerprint readers in electronic devices is not a new thing, by any means, Touch ID appears to be among the first (if not the first) incorporation of this technology into an always connected mobile device. The concern with this new combination of technologies is over how the individual’s biometric data will be saved, who will have access to it, and how this may affect user’s privacy. These are questions which, based on the limited information which Apple has released about precisely how Touch ID works, remain unanswered.